Hackers bust Microsoft's anti-piracy system

Hackers found a way around Microsoft's Windows Genuine Advantage (WGA) anti-piracy system last week, only a day after the system went into effect.

WGA requires Windows users to verify they are using a genuine copy of Windows before they are allowed to download certain software updates. Security patches aren't covered by the system, and remain available to any Windows user, legitimate or not.

The system asks users to download an ActiveX control, which scans Windows to determine whether it is legitimate. If the software checks out, the control installs a key allowing future downloads. The system went into place on Monday.

But by Tuesday, a simple JavaScript hack was already circulating, it emerged late last week. All users had to do was paste a JavaScript URL into the Internet Explorer browser window at the beginning of the process; this turned off the key check, according to users.

To carry out the hack, users simply needed to insert the following line into Explorer's address bar before the WGA authentication check was carried out:

javascript:void(window.g_sDisableWGACheck='all')

Related

Microsoft said it was investigating the hack but didn't consider it a security flaw. The company said that it may not take immediate action to fix the problem. "As the validation system is updated from time to time, we will address this and other issues that may arise," a Microsoft spokeswoman said.

There are other ways of getting around WGA as well, none of them particularly complicated, say users, which raises the question of how seriously Microsoft is intending to enforce its updating policy.

Another workaround involves disabling the Explorer add-on that enforces WGA. A third method involves changing an Explorer cookie. None of the hacks involves anything particularly technical.

Microsoft put WGA into place to cut down on Windows piracy, and to persuade users who are running pirated copies of Windows to buy legitimate licences. Some users may be using pirated copies without knowing it, according to the company. Microsoft originally ran the programme on a voluntary basis for several weeks before making it mandatory last week.